{"description": "Enterprise techniques mitigated by Privileged Process Integrity, ATT&CK mitigation M1025 (v1.2)", "name": "Privileged Process Integrity (M1025)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.002", "comment": "Windows 8.1, Windows Server 2012 R2, and later versions, may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL, which requires all DLLs loaded by LSA to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.005", "comment": "Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\RunAsPPL, which requires all SSP DLLs to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.008", "comment": "On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\RunAsPPL to dword:00000001. (Citation: Microsoft LSA Protection Mar 2014) LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556", "comment": "Enabled features, such as Protected Process Light (PPL), for LSA.(Citation: Microsoft LSA)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1556.001", "comment": "Enabled features, such as Protected Process Light (PPL), for LSA.(Citation: Microsoft LSA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "comment": "\nOn Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.(Citation: Microsoft LSA)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.(Citation: Microsoft LSA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Privileged Process Integrity", "color": "#66b1ff"}]}